<html>
<head>
<title>External Command File Permissions</title>

<STYLE type="text/css">
<!--
        .Default { font-family: verdana,arial,serif; font-size: 8pt; }
        .PageTitle { font-family: verdana,arial,serif; font-size: 12pt; font-weight: bold; }
-->      
</STYLE>

</head>

<body bgcolor="#FFFFFF" text="black" class="Default">

<p>
<div align="center">
<h2 class="PageTitle">External Command File Permissions</h2>
</div>
</p>

<hr>


<p>
<strong><u>Notes</u></strong>
</p>

<p>
These instructions assume that you've installed Nagios on a dedicated monitoring/admin box that doesn't contain normal user accounts (i.e. isn't a public machine).  If you've installed Nagios on a public/multi-user machine, I would suggest setting more restrictive permissions on the external command file and using something like <a href="http://cgiwrap.unixtools.org/">CGIWrap</a> to run the CGIs as a specific user.  Failing to do so may allow normal users to control Nagios through the external command file!  I'm guessing you don't want that.  More information on securing Nagios can be found <a href="security.html">here</a>.
</p>


<p>
<strong><u>Introduction</u></strong>
</p>

<p>
One of the most common problems people have seems to be with setting proper permissions for the external command file.  You need to set the proper permission on the <i>/usr/local/nagios/var/rw</i> <b>directory</b> (or whatever the path portion of the <a href="configmain.html#command_file">command_file</a> directive in your <a href="configmain.html">main configuration file</a> is set to).  I'll show you how to do this.   Note: You must be <i>root</i> in order to do some of these steps...
</p>

<p>
<strong><u>Users and Groups</u></strong>
</p>

<p>
First, find the user that your web server process is running as.  On many systems this is the user <i>nobody</i>, although it will vary depending on what OS/distribution you are running.  You'll also need to know what user Nagios is effectively running as - this is specified with the <a href="configmain.html#nagios_user">nagios_user</a> variable in the main config file.
</p>

<p>
Next we're going to create a new group whose members include the user the web server is running as and the user Nagios is running as.  Let's say we call this new group '<b>nagiocmd</b>' (you can name it differently if you wish).  On RedHat Linux you can use the following command to add a new group (other systems may differ):
</p>

<p>
<font color="red">/usr/sbin/groupadd nagiocmd</font>
</p> 

<p>
Next, add the web server user (<i>nobody</i> or <i>apache</i>, etc) and the Nagios user (<i>nagios</i>) to the newly created group with the following commands:
</p>

<p>
<font color="red">/usr/sbin/usermod -G nagiocmd nagios</font><br>
<font color="red">/usr/sbin/usermod -G nagiocmd nobody</font>
</p> 

<p>
<strong><u>Creating the directory</u></strong>
</p>

<p>
Next, create the directory where the command file should be stored.  By default, this is <i>/usr/local/nagios/var/rw</i>, although it can be changed by modifying the path specified in the<a href="configmain.html#command_file">command_file</a> directory.
</p>

<p>
<font color="red">mkdir /usr/local/nagios/var/rw</font>
</p>

<p>
<strong><u>Setting directory permissions</u></strong>
</p>

<p>
Next, change the ownership of the directory that will be used to hold the command file...
</p>

<p>
<font color="red">chown nagios.nagiocmd /usr/local/nagios/var/rw</font>
</p> 

<p>
Make sure the Nagios user has full permissions on the directory...
</p>

<p>
<font color="red">chmod u+rwx /usr/local/nagios/var/rw</font>
</p> 

<p>
Make sure the group we created has full permissions on the directory.
</p>

<p>
<font color="red">chmod g+rwx /usr/local/nagios/var/rw</font>
</p> 

<p>
In order to force newly created files in the directory to inherit the group permissions from the directory, we need to enable the group sticky bit on the directory...
</p>

<p>
<font color="red">chmod g+s /usr/local/nagios/var/rw</font>
</p> 


<p>
<strong><u>Verifying the permissions</u></strong>
</p>

<p>
Check the permissions on the rw/ subdirectory by running '<b>ls -al /usr/local/nagios/var</b>'.  You should see something similiar to the following:
</p>

<p>
<font color="red">
<pre>
drwxrws---   2 nagios nagiocmd     1024 Aug 11 16:30 rw
</pre>
</font>
</p>

<p>
Note that the user <i>nagios</i> is the owner of the directory and the group <i>nagiocmd</i> is the group owner of the directory.  The <i>nagios</i> user has <b>rwx</b> permissions and group <i>nagiocmd</i> has <b>rw</b> permissions on the directory.  Also, note that the group sticky bit is enabled.  That's what we want...
</p>

<p>
<strong><u>Restart your web server</u></strong>
</p>

<p>
Once you set the proper permission on the directory containing the external command file, make sure to restart your web server.  If you fail to do this, Apache will not be able to write to the external command file, even though the user it runs as is a member of the nagiocmd group.
</p>

<p>
<strong><u>Additional notes...</u></strong>
</p>

<p>
If you supplied the <b>--with-command-grp=<i>somegroup</i></b> option when running the configure script, you can create the directory to hold the command file and set the proper permissions automatically by running '<b>make install-commandmode</b>'.
</p>


<hr>

</body>
</html>
